Remote exploitation of multiple integer overflow
vulnerabilities within OpenOffice, as included in various
vendors' operating system distributions, allows attackers to
execute arbitrary code.

These vulnerabilities exist within the TIFF parsing code of
the OpenOffice suite. When parsing the TIFF directory entries
for certain tags, the parser uses untrusted values from the
file to calculate the amount of memory to allocate. By
providing specially crafted values, an integer overflow occurs
in this calculation. This results in the allocation of a
buffer of insufficient size, which in turn leads to a heap
overflow.

Remote exploitation of multiple integer overflow
vulnerabilities within OpenOffice, as included in various
vendors' operating system distributions, allows attackers to
execute arbitrary code.

These vulnerabilities exist within the TIFF parsing code of
the OpenOffice suite. When parsing the TIFF directory entries
for certain tags, the parser uses untrusted values from the
file to calculate the amount of memory to allocate. By
providing specially crafted values, an integer overflow occurs
in this calculation. This results in the allocation of a
buffer of insufficient size, which in turn leads to a heap
overflow.

OpenOffice creates a working directory in /tmp on startup,
and uses this directory to temporarily store document
content. However, the permissions of the created directory
may allow other user on the system to read these files,
potentially exposing information the user likely assumed was
inaccessible.

AD-LAB reports that a heap-based buffer overflow
vulnerability exists in OpenOffice's handling of DOC
documents. When reading a DOC document 16 bit from a 32 bit
integer is used for memory allocation, but the full 32 bit
is used for further processing of the document. This can
allow an attacker to crash OpenOffice, or potentially
execute arbitrary code as the user running OpenOffice, by
tricking an user into opening a specially crafted DOC
document.

OpenOffice creates a working directory in /tmp on startup,
and uses this directory to temporarily store document
content. However, the permissions of the created directory
may allow other user on the system to read these files,
potentially exposing information the user likely assumed was
inaccessible.

AD-LAB reports that a heap-based buffer overflow
vulnerability exists in OpenOffice's handling of DOC
documents. When reading a DOC document 16 bit from a 32 bit
integer is used for memory allocation, but the full 32 bit
is used for further processing of the document. This can
allow an attacker to crash OpenOffice, or potentially
execute arbitrary code as the user running OpenOffice, by
tricking an user into opening a specially crafted DOC
document.